Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump the version-updates group across 1 directory with 4 updates #83

Merged
merged 1 commit into from
Jan 21, 2025
Merged

Bump the version-updates group across 1 directory with 4 updates #83

merged 1 commit into from
Jan 21, 2025

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 21, 2025

Bumps the version-updates group with 4 updates in the / directory: fish-shop/workflows, step-security/harden-runner, github/codeql-action and fish-shop/install-fish-shell.

Updates fish-shop/workflows from 1.10.1 to 1.10.3

Release notes

Sourced from fish-shop/workflows's releases.

v1.10.3

What's Changed

Full Changelog: fish-shop/workflows@v1.10.2...v1.10.3

v1.10.2

What's Changed

Full Changelog: fish-shop/workflows@v1.10.1...v1.10.2

Commits
  • e426b8a Merge pull request #56 from fish-shop/remove-unprivileged-user-namespaces-wor...
  • e8aa838 Merge branch 'main' into remove-unprivileged-user-namespaces-workaround
  • afa9bca Remove unprivileged user namespaces restrictions workaround
  • e58db3d Merge pull request #54 from fish-shop/dependabot/github_actions/version-updat...
  • 825a934 Bump the version-updates group across 1 directory with 2 updates
  • See full diff in compare view

Updates step-security/harden-runner from 2.10.3 to 2.10.4

Release notes

Sourced from step-security/harden-runner's releases.

v2.10.4

What's Changed

Fixed a potential Harden-Runner post step failure that could occur when printing agent service logs. The fix gracefully handles failures without failing the post step.

Full Changelog: step-security/harden-runner@v2...v2.10.4

Commits

Updates github/codeql-action from 3.28.1 to 3.28.2

Release notes

Sourced from github/codeql-action's releases.

v3.28.2

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.2 - 21 Jan 2025

No user facing changes.

See the full CHANGELOG.md for more information.

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

3.28.2 - 21 Jan 2025

No user facing changes.

3.28.1 - 10 Jan 2025

  • CodeQL Action v2 is now deprecated, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v3. For more information, see this changelog post. #2677
  • Update default CodeQL bundle version to 2.20.1. #2678

3.28.0 - 20 Dec 2024

  • Bump the minimum CodeQL bundle version to 2.15.5. #2655
  • Don't fail in the unusual case that a file is on the search path. #2660.

3.27.9 - 12 Dec 2024

No user facing changes.

3.27.8 - 12 Dec 2024

  • Fixed an issue where streaming the download and extraction of the CodeQL bundle did not respect proxy settings. #2624

3.27.7 - 10 Dec 2024

  • We are rolling out a change in December 2024 that will extract the CodeQL bundle directly to the toolcache to improve performance. #2631
  • Update default CodeQL bundle version to 2.20.0. #2636

3.27.6 - 03 Dec 2024

  • Update default CodeQL bundle version to 2.19.4. #2626

3.27.5 - 19 Nov 2024

No user facing changes.

3.27.4 - 14 Nov 2024

No user facing changes.

3.27.3 - 12 Nov 2024

No user facing changes.

... (truncated)

Commits
  • d68b2d4 Merge pull request #2708 from github/update-v3.28.2-d90e07f32
  • ea23796 Update changelog for v3.28.2
  • d90e07f Merge pull request #2703 from github/dependabot/npm_and_yarn/npm-cd3f77644b
  • 7b7562b Update checked-in dependencies
  • c168638 build(deps): bump the npm group with 3 updates
  • 0f1559a Merge pull request #2699 from github/cklin/diff-informed-file-fallback
  • 2d608a3 Merge branch 'main' into cklin/diff-informed-file-fallback
  • 94f08f3 Merge pull request #2698 from github/cklin/diff-informed-status-report
  • 071996f getDiffRanges: better fallback for absent patch
  • 5889cfd Add analysis_is_diff_informed to status report
  • Additional commits viewable in compare view

Updates fish-shop/install-fish-shell from 1.0.40 to 1.0.41

Release notes

Sourced from fish-shop/install-fish-shell's releases.

v1.0.41

What's Changed

Full Changelog: fish-shop/install-fish-shell@v1.0.40...v1.0.41

Commits
  • 7a8ccb8 Merge pull request #113 from fish-shop/dependabot/github_actions/version-upda...
  • 410be12 Bump fish-shop/workflows in the version-updates group
  • 93eb7a1 Merge pull request #112 from fish-shop/dependabot/github_actions/version-upda...
  • 9513d8c Bump the version-updates group across 1 directory with 3 updates
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the version-updates group across 1 directory with 4 updates
99d2f9c 
Bumps the version-updates group with 4 updates in the / directory: [fish-shop/workflows](https://github.com/fish-shop/workflows), [step-security/harden-runner](https://github.com/step-security/harden-runner), [github/codeql-action](https://github.com/github/codeql-action) and [fish-shop/install-fish-shell](https://github.com/fish-shop/install-fish-shell).


Updates `fish-shop/workflows` from 1.10.1 to 1.10.3
- [Release notes](https://github.com/fish-shop/workflows/releases)
- [Commits](fish-shop/workflows@d975a60...e426b8a)

Updates `step-security/harden-runner` from 2.10.3 to 2.10.4
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@c95a14d...cb605e5)

Updates `github/codeql-action` from 3.28.1 to 3.28.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@b6a472f...d68b2d4)

Updates `fish-shop/install-fish-shell` from 1.0.40 to 1.0.41
- [Release notes](https://github.com/fish-shop/install-fish-shell/releases)
- [Commits](fish-shop/install-fish-shell@9b876e4...7a8ccb8)

---
updated-dependencies:
- dependency-name: fish-shop/workflows
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: version-updates
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: version-updates
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: version-updates
- dependency-name: fish-shop/install-fish-shell
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: version-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from a team as a code owner January 21, 2025 20:52
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Jan 21, 2025
@github-actions GitHub Actions
Copy link

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/fish-shop/workflows/.github/workflows/dependency-review.yml e426b8a8cd7d42e4354b284f172ff88b753164d0 UnknownUnknown
actions/fish-shop/workflows/.github/workflows/markdown-links.yml e426b8a8cd7d42e4354b284f172ff88b753164d0 UnknownUnknown
actions/github/codeql-action/upload-sarif d68b2d4edb4189fd2a5366ac14e72027bd4b37dd UnknownUnknown
actions/step-security/harden-runner cb605e52c26070c328afc4562f0b4ada7618a84e 🟢 8.6
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests🟢 105 out of 5 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1030 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
SAST🟢 9SAST tool detected but not run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities🟢 82 existing vulnerabilities detected
actions/fish-shop/workflows/.github/workflows/release-tags.yml e426b8a8cd7d42e4354b284f172ff88b753164d0 UnknownUnknown
actions/fish-shop/install-fish-shell 7a8ccb8f572f8a14e26361cab2e05ce52fe4f274 🟢 8.4
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1015 out of 15 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review⚠️ -1Found no human activity in the last 15 changesets
Contributors🟢 10project has 3 contributing companies or organizations -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 10all dependencies are pinned
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities🟢 100 existing vulnerabilities detected

Scanned Files

  • .github/workflows/dependency-review.yml
  • .github/workflows/markdown-links.yml
  • .github/workflows/openssf-scorecard.yml
  • .github/workflows/release-tags.yml
  • .github/workflows/test.yml

@marcransome
Copy link
Member

@dependabot merge.

@dependabot dependabot bot merged commit d304847 into main Jan 21, 2025
4 checks passed
@dependabot dependabot bot deleted the dependabot/github_actions/version-updates-ed0b598055 branch January 21, 2025 20:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcransome marcransome marcransome approved these changes

Assignees

@marcransome marcransome

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@marcransome